1/33
Vocabulary-style practice flashcards covering U.S. privacy laws, enforcement agencies, and information management frameworks based on the September 2025 CIPP/US outline.
Name | Mastery | Learn | Test | Matching | Spaced | Call with Kai | Chat |
|---|
No analytics yet
Send a link to your students to track their progress
Penumbra
A legal concept where the Supreme Court recognizes constitutional rights to privacy as being derived from other provisions and protections in law, despite the word 'privacy' not appearing in the U.S. Constitution.
Preemption
The legal principle where a superior government’s laws supersede or override those of a lower authority, such as federal law overriding state Law.
Deceptive Trade Practices
A practice involving a material statement or omission that is likely to mislead consumers acting reasonably under the circumstances, enforced by the FTC.
Unfair Trade Practices
Practices that cause or are likely to cause substantial injury to consumers that is not reasonably avoidable and is not outweighed by countervailing benefits to consumers or competition.
Consent Decree
A legal agreement where a company does not admit fault but promises to change its practices, often requiring external audits and specific remedies to avoid further litigation.
Data Inventory
The process of identifying what Personally Identifiable Information (PII) an organization has, where it is stored, how it is processed, and how it is transmitted.
Privacy Lifecycle: Assess
The first phase of the privacy operational lifecycle which involves identifying the privacy program's current state and evaluating risks.
Dark Pattern
A user interface designed to manipulate or coerce users into making choices that they might not otherwise make, often by providing no real choice in sharing personal information.
Ransomware
Malware that encrypts a system and its data, demanding payment for decryption and sometimes threatening the public disclosure of PII.
FACTA Disposal Rule
A rule requiring anyone using consumer reports to dispose of such information in a way that prevents unauthorized access, such as burning, shredding, or destroying electronic data.
Privacy Notice
An external-facing document for customers explaining how an organization collects, uses, shares, and retains Personally Identifiable Information (PII).
Data Processing Agreement (DPA)
A contract specifying how a third-party vendor will handle PII on behalf of an organization, including adherence to laws and response protocols for data requests.
Binding Corporate Rules (BCRs)
A safeguard allowing multinational companies to transfer personal data between different countries after obtaining certification from a Data Protection Authority (DPA).
Standard Contractual Clauses (SCCs)
The most common legal basis for transferring personal data from the EU to the US, where a company agrees to comply with EU law and be supervised by a DPA.
Controller
Under GDPR, the entity that determines the business objectives and means of data processing, carrying more legal responsibility than the processor.
HIPAA Covered Entity
Entities subject to HIPAA regulations, including healthcare providers, insurance companies, and their business associates.
Information Blocking
A practice prohibited by the 21st Century Cures Act where healthcare entities interfere with the access, exchange, or use of electronic health information.
Consumer Reporting Agency (CRA)
An entity, such as Equifax, Experian, or TransUnion, that furnishes consumer reports used to establish eligibility for credit, insurance, or employment.
Permissible Purpose
A specific legal reason defined under FCRA (such as a court order or consumer request) required for a CRA to furnish a consumer report.
Red Flags Rule
A requirement under FACTA for financial entities to maintain a written program to detect and respond to patterns or activities that indicate identity theft.
GLBA Safeguards Rule
A regulation requiring financial institutions to maintain a security program with administrative, technical, and physical safeguards to protect customer information.
Divestiture
A transaction where a company sells off a part of its business, necessitating a 'data clean room' for due diligence and new notices of consent as a new controller takes over.
Educational Record
Under FERPA, all records (K-12 through university) maintained by a school, including grades and financial aid, but excluding alumni and campus police records.
Telemarketing Sales Rule (TSR)
An FTC rule requiring telemarketers to disclose self-identification, prohibit abandoned calls, and adhere to calling hours between 8 am and 9 pm.
Customer Proprietary Network Information (CPNI)
Detailed data collected by telecommunications carriers (call logs, billing info, features) that requires express consent before being shared with third parties.
Video Privacy Protection Act (VPPA)
A federal law prohibiting 'video tape service providers' from sharing customer personal information without consent, enacted after the disclosure of a Supreme Court nominee's rental records.
Suspicious Activity Report (SAR)
A report filed with FinCEN by financial institutions if they suspect insider fraud, money laundering, or crimes involving amounts of 5k or more.
Wiretap Act (Title III)
A law prohibiting the interception of oral or wired (phone) communications, requiring at least one party's consent federally, or all parties' consent in stricter states.
Pen Register
A device or process that records the telephone numbers of outgoing calls, authorized if the information is deemed 'relevant to an ongoing investigation'.
FISA Section 702
An amendment allowing the government to conduct mass surveillance of non-US persons located outside the US for up to a year via certification rather than an individual warrant.
GINA
The Genetic Information Nondiscrimination Act, which makes it illegal for employers to gather genetic information or use it for hiring, compensation, or termination decisions.
Cure Period
A specific timeframe, such as 30 days, granted to an organization to rectify a privacy violation before regulatory penalties are enforced.
BIPA
The Illinois Biometric Information Privacy Act, which requires consent for collecting biometric data and grants individuals a private right of action for violations.
Washington My Health, My Data (MHMD) Act
A 2023 law intended to protect health data not covered by HIPAA, notably prohibiting geofencing within 2000ft of healthcare facilities for tracking purposes.